The debacle of YOUR ID: The State shows, once again, that it is not capable of even protecting its citizens' data.

The cyberattack on TuID, the state platform that verifies who you are in the digital world and allows you to sign with legal value, exposed what was already evident: the Uruguayan state is incapable of protecting the personal data of its citizens. Not even the most sensitive data. Not even when it comes to your face, your fingerprint, or your electronic signature.

On May 7, Antel confirmed the incident with the usual manual: “No passwords or specially protected data were compromised.” A comfortable phrase, repeated like a mantra. But it is enough to read the statement between the lines to understand that the response is insufficient, delayed, and, above all, not credible. Because with your name, ID number, date of birth, email, and address, they can already set up a scam that seems official. Imagine the WhatsApp: “Hello. We detected a problem with your digital identity TuID. To avoid the suspension of your electronic signature, verify your data here.” With your real data, it doesn’t look like spam. It looks like it’s from the State. And the State, precisely, is the one that failed.

The group LaPampaLeaks, which claimed responsibility for the attack, went further: ID numbers, names, dates of birth, emails, phone numbers, addresses, biometric data, and even information about digital signatures. Antel denies it. Cybersecurity expert Agustina Pérez Comenale, tired of the evasions, filed formal complaints with the Regulatory Unit for Personal Data Control (URCDP) and with Cybercrime at the Ministry of the Interior. Her demand is fundamental: Antel does not clearly state which data was affected. And if the biometrics were exposed, we are facing a problem of another dimension. A password can be changed. A face or a fingerprint cannot.

The law is clear. It requires notifying the regulator within 72 hours with precise details of the incident and the affected data. If the rights of individuals are compromised, they must also be notified in understandable language. None of that happened. Antel spoke of “protocols” and a complaint to the Prosecutor's Office. But it did not inform how many users were impacted, how long the vulnerability existed, whether there was compromised biometrics, or what the hell each citizen should do to protect themselves. Silence. Opacity. The same recipe as always.

And the timing couldn’t be more catastrophic. Uruguay is about to launch the digital wallet: ID, book, signature, and digital identity, all on the mobile phone. Digital identity in July. Complete wallet in December. The idea sounds modern. The problem is that the State wants us to trust our entire digital life in one device… while it is not capable of protecting even the platform that already exists. Digital trust is not built with slogans. It is built with transparency, with public technical reports, and with concrete answers. Here, there is only smoke.

This is not an isolated incident. It is the most recent proof that the Uruguayan state is not capable of protecting people's data. It is not capable of guaranteeing security. It is not capable of being transparent. It is not even capable of complying with its own laws. While hackers publish on the dark web what the State hides in press conferences, Uruguayans remain exposed. And the Government, instead of facing the issue with concrete data, asks for “calm” and continues with its agenda of digital centralization as if nothing had happened.

Specialist Pérez Comenale stated bluntly: if there was biometrics, the incident is of another scale. Antel says no. Someone is lying. And while that gap is not closed with actions, not with statements, the only certainty is that the State, once again, failed in the basics: to protect the citizens it is supposed to serve.

Meanwhile, the only thing an ordinary Uruguayan can do is what the State did not do: change their TuID password and PIN right now, check the status of their digital certificate, and distrust any message that asks for codes, data, or verifications. Because if one thing has become clear with this scandal, it is that when it comes to protecting your digital identity, the State not only does not serve: it is directly absent.

Digital trust is not an accessory. It is the entire system. And the Uruguayan state, as always, is breaking it from the inside.